]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/isakmp_quick.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-146.1.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_quick.c
1 /* $NetBSD: isakmp_quick.c,v 1.11.4.1 2007/08/01 11:52:21 vanhu Exp $ */
2
3 /* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39
40 #include <netinet/in.h>
41
42 #include <stdlib.h>
43 #include <stdio.h>
44 #include <string.h>
45 #include <errno.h>
46 #if TIME_WITH_SYS_TIME
47 # include <sys/time.h>
48 # include <time.h>
49 #else
50 # if HAVE_SYS_TIME_H
51 # include <sys/time.h>
52 # else
53 # include <time.h>
54 # endif
55 #endif
56 #ifdef ENABLE_HYBRID
57 #include <resolv.h>
58 #endif
59
60 #ifndef HAVE_NETINET6_IPSEC
61 #include <netinet/ipsec.h>
62 #else
63 #include <netinet6/ipsec.h>
64 #endif
65
66 #include "var.h"
67 #include "vmbuf.h"
68 #include "schedule.h"
69 #include "misc.h"
70 #include "plog.h"
71 #include "debug.h"
72
73 #include "localconf.h"
74 #include "remoteconf.h"
75 #include "handler.h"
76 #include "policy.h"
77 #include "proposal.h"
78 #include "isakmp_var.h"
79 #include "isakmp.h"
80 #include "isakmp_inf.h"
81 #include "isakmp_quick.h"
82 #include "oakley.h"
83 #include "ipsec_doi.h"
84 #include "crypto_openssl.h"
85 #include "pfkey.h"
86 #include "policy.h"
87 #include "algorithm.h"
88 #include "sockmisc.h"
89 #include "proposal.h"
90 #include "sainfo.h"
91 #include "admin.h"
92 #include "strnames.h"
93 #include "nattraversal.h"
94 #include "ipsecSessionTracer.h"
95 #include "ipsecMessageTracer.h"
96 #ifndef HAVE_OPENSSL
97 #include <Security/SecDH.h>
98 #endif
99
100 /* quick mode */
101 static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *));
102 static int get_sainfo_r __P((struct ph2handle *));
103 static int get_proposal_r __P((struct ph2handle *));
104 static int get_proposal_r_remote __P((struct ph2handle *, int));
105
106 /* \f%%%
107 * Quick Mode
108 */
109 /*
110 * begin Quick Mode as initiator. send pfkey getspi message to kernel.
111 */
112 int
113 quick_i1prep(iph2, msg)
114 struct ph2handle *iph2;
115 vchar_t *msg; /* must be null pointer */
116 {
117 int error = ISAKMP_INTERNAL_ERROR;
118
119 /* validity check */
120 if (iph2->status != PHASE2ST_STATUS2) {
121 plog(LLV_ERROR, LOCATION, NULL,
122 "status mismatched %d.\n", iph2->status);
123 goto end;
124 }
125
126 iph2->msgid = isakmp_newmsgid2(iph2->ph1);
127 if (iph2->ivm != NULL)
128 oakley_delivm(iph2->ivm);
129 iph2->ivm = oakley_newiv2(iph2->ph1, iph2->msgid);
130 if (iph2->ivm == NULL)
131 return 0;
132
133 iph2->status = PHASE2ST_GETSPISENT;
134
135 /* don't anything if local test mode. */
136 if (f_local) {
137 error = 0;
138 goto end;
139 }
140
141 /* send getspi message */
142 if (pk_sendgetspi(iph2) < 0) {
143 plog(LLV_ERROR, LOCATION, NULL,
144 "failed to send getspi message");
145 goto end;
146 }
147
148 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
149
150 iph2->sce = sched_new(lcconf->wait_ph2complete,
151 pfkey_timeover_stub, iph2);
152
153 error = 0;
154
155 end:
156 return error;
157 }
158
159 /*
160 * send to responder
161 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
162 */
163 int
164 quick_i1send(iph2, msg)
165 struct ph2handle *iph2;
166 vchar_t *msg; /* must be null pointer */
167 {
168 vchar_t *body = NULL;
169 vchar_t *hash = NULL;
170 #ifdef ENABLE_NATT
171 vchar_t *natoa_i = NULL;
172 vchar_t *natoa_r = NULL;
173 #endif /* ENABLE_NATT */
174 int natoa_type = 0;
175 struct isakmp_gen *gen;
176 char *p;
177 int tlen;
178 int error = ISAKMP_INTERNAL_ERROR;
179 int pfsgroup, idci, idcr;
180 int np;
181 struct ipsecdoi_id_b *id, *id_p;
182
183 /* validity check */
184 if (msg != NULL) {
185 plog(LLV_ERROR, LOCATION, NULL,
186 "msg has to be NULL in this function.\n");
187 goto end;
188 }
189 if (iph2->status != PHASE2ST_GETSPIDONE) {
190 plog(LLV_ERROR, LOCATION, NULL,
191 "status mismatched %d.\n", iph2->status);
192 goto end;
193 }
194
195 /* create SA payload for my proposal */
196 if (ipsecdoi_setph2proposal(iph2) < 0) {
197 plog(LLV_ERROR, LOCATION, NULL,
198 "failed to set proposal");
199 goto end;
200 }
201
202 /* generate NONCE value */
203 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
204 if (iph2->nonce == NULL) {
205 plog(LLV_ERROR, LOCATION, NULL,
206 "failed to generate NONCE");
207 goto end;
208 }
209
210 /*
211 * DH value calculation is kicked out into cfparse.y.
212 * because pfs group can not be negotiated, it's only to be checked
213 * acceptable.
214 */
215 /* generate KE value if need */
216 pfsgroup = iph2->proposal->pfs_group;
217 if (pfsgroup) {
218 /* DH group settting if PFS is required. */
219 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
220 plog(LLV_ERROR, LOCATION, NULL,
221 "failed to set DH value.\n");
222 goto end;
223 }
224 #ifdef HAVE_OPENSSL
225 if (oakley_dh_generate(iph2->pfsgrp,
226 &iph2->dhpub, &iph2->dhpriv) < 0) {
227 #else
228 if (oakley_dh_generate(iph2->pfsgrp,
229 &iph2->dhpub, &iph2->publicKeySize, &iph2->dhC) < 0) {
230 #endif
231 plog(LLV_ERROR, LOCATION, NULL,
232 "failed to generate DH");
233 goto end;
234 }
235 }
236
237 /* generate ID value */
238 if (ipsecdoi_setid2(iph2) < 0) {
239 plog(LLV_ERROR, LOCATION, NULL,
240 "failed to get ID.\n");
241 goto end;
242 }
243 plog(LLV_DEBUG, LOCATION, NULL, "IDci:\n");
244 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
245 plog(LLV_DEBUG, LOCATION, NULL, "IDcr:\n");
246 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
247
248 /*
249 * we do not attach IDci nor IDcr, under the following condition:
250 * - all proposals are transport mode
251 * - no MIP6 or proxy
252 * - id payload suggests to encrypt all the traffic (no specific
253 * protocol type)
254 */
255 id = (struct ipsecdoi_id_b *)iph2->id->v;
256 id_p = (struct ipsecdoi_id_b *)iph2->id_p->v;
257 if (id->proto_id == 0
258 && id_p->proto_id == 0
259 && iph2->ph1->rmconf->support_proxy == 0
260 && ipsecdoi_transportmode(iph2->proposal)) {
261 idci = idcr = 0;
262 } else
263 idci = idcr = 1;
264
265 /* create SA;NONCE payload, and KE if need, and IDii, IDir. */
266 tlen = + sizeof(*gen) + iph2->sa->l
267 + sizeof(*gen) + iph2->nonce->l;
268 if (pfsgroup)
269 tlen += (sizeof(*gen) + iph2->dhpub->l);
270 if (idci)
271 tlen += sizeof(*gen) + iph2->id->l;
272 if (idcr)
273 tlen += sizeof(*gen) + iph2->id_p->l;
274
275 #ifdef ENABLE_NATT
276 /*
277 * RFC3947 5.2. if we propose UDP-Encapsulated-Transport
278 * we should send NAT-OA
279 */
280 if (ipsecdoi_any_transportmode(iph2->proposal)
281 && (iph2->ph1->natt_flags & NAT_DETECTED)) {
282 natoa_type = create_natoa_payloads(iph2, &natoa_i, &natoa_r);
283 if (natoa_type == -1) {
284 plog(LLV_ERROR, LOCATION, NULL,
285 "failed to generate NAT-OA payload.\n");
286 goto end;
287 } else if (natoa_type != 0) {
288 tlen += sizeof(*gen) + natoa_i->l;
289 tlen += sizeof(*gen) + natoa_r->l;
290
291 plog(LLV_DEBUG, LOCATION, NULL, "initiator send NAT-OAi:\n");
292 plogdump(LLV_DEBUG, natoa_i->v, natoa_i->l);
293 plog(LLV_DEBUG, LOCATION, NULL, "initiator send NAT-OAr:\n");
294 plogdump(LLV_DEBUG, natoa_r->v, natoa_r->l);
295 }
296 }
297 #endif
298
299 body = vmalloc(tlen);
300 if (body == NULL) {
301 plog(LLV_ERROR, LOCATION, NULL,
302 "failed to get buffer to send.\n");
303 goto end;
304 }
305
306 p = body->v;
307
308 /* add SA payload */
309 p = set_isakmp_payload(p, iph2->sa, ISAKMP_NPTYPE_NONCE);
310
311 /* add NONCE payload */
312 if (pfsgroup)
313 np = ISAKMP_NPTYPE_KE;
314 else if (idci || idcr)
315 np = ISAKMP_NPTYPE_ID;
316 else
317 np = (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
318 p = set_isakmp_payload(p, iph2->nonce, np);
319
320 /* add KE payload if need. */
321 np = (idci || idcr) ? ISAKMP_NPTYPE_ID : (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
322 if (pfsgroup)
323 p = set_isakmp_payload(p, iph2->dhpub, np);
324
325 /* IDci */
326 np = (idcr) ? ISAKMP_NPTYPE_ID : (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
327 if (idci)
328 p = set_isakmp_payload(p, iph2->id, np);
329
330 /* IDcr */
331 if (idcr)
332 p = set_isakmp_payload(p, iph2->id_p, natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE);
333
334 /* natoa */
335 if (natoa_type) {
336 p = set_isakmp_payload(p, natoa_i, natoa_type);
337 p = set_isakmp_payload(p, natoa_r, ISAKMP_NPTYPE_NONE);
338 }
339
340 /* generate HASH(1) */
341 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body);
342 if (hash == NULL) {
343 plog(LLV_ERROR, LOCATION, NULL,
344 "failed to compute HASH");
345 goto end;
346 }
347
348 /* send isakmp payload */
349 iph2->sendbuf = quick_ir1mx(iph2, body, hash);
350 if (iph2->sendbuf == NULL) {
351 plog(LLV_ERROR, LOCATION, NULL,
352 "failed to get send buffer");
353 goto end;
354 }
355
356 /* send the packet, add to the schedule to resend */
357 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
358 if (isakmp_ph2resend(iph2) == -1) {
359 plog(LLV_ERROR, LOCATION, NULL,
360 "failed to send packet");
361 goto end;
362 }
363
364 /* change status of isakmp status entry */
365 iph2->status = PHASE2ST_MSG1SENT;
366
367 error = 0;
368
369 IPSECSESSIONTRACEREVENT(iph2->parent_session,
370 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
371 CONSTSTR("Initiator, Quick-Mode message 1"),
372 CONSTSTR(NULL));
373
374 end:
375 if (error) {
376 IPSECSESSIONTRACEREVENT(iph2->parent_session,
377 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
378 CONSTSTR("Initiator, Quick-Mode Message 1"),
379 CONSTSTR("Failed to transmit Quick-Mode Message 1"));
380 }
381 if (body != NULL)
382 vfree(body);
383 if (hash != NULL)
384 vfree(hash);
385 #ifdef ENABLE_NATT
386 if (natoa_i)
387 vfree(natoa_i);
388 if (natoa_r)
389 vfree(natoa_r);
390 #endif /* ENABLE_NATT */
391
392 return error;
393 }
394
395 /*
396 * receive from responder
397 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
398 */
399 int
400 quick_i2recv(iph2, msg0)
401 struct ph2handle *iph2;
402 vchar_t *msg0;
403 {
404 vchar_t *msg = NULL;
405 vchar_t *hbuf = NULL; /* for hash computing. */
406 vchar_t *pbuf = NULL; /* for payload parsing */
407 struct isakmp_parse_t *pa;
408 struct isakmp *isakmp = (struct isakmp *)msg0->v;
409 struct isakmp_pl_hash *hash = NULL;
410 int f_id;
411 char *p;
412 int tlen;
413 int error = ISAKMP_INTERNAL_ERROR;
414 struct sockaddr *natoa_i = NULL;
415 struct sockaddr *natoa_r = NULL;
416
417 /* validity check */
418 if (iph2->status != PHASE2ST_MSG1SENT) {
419 plog(LLV_ERROR, LOCATION, NULL,
420 "status mismatched %d.\n", iph2->status);
421 goto end;
422 }
423
424 /* decrypt packet */
425 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
426 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
427 "Packet wasn't encrypted.\n");
428 goto end;
429 }
430 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
431 if (msg == NULL) {
432 plog(LLV_ERROR, LOCATION, NULL,
433 "failed to decrypt");
434 goto end;
435 }
436
437 /* create buffer for validating HASH(2) */
438 /*
439 * ordering rule:
440 * 1. the first one must be HASH
441 * 2. the second one must be SA (added in isakmp-oakley-05!)
442 * 3. two IDs must be considered as IDci, then IDcr
443 */
444 pbuf = isakmp_parse(msg);
445 if (pbuf == NULL) {
446 plog(LLV_ERROR, LOCATION, NULL,
447 "failed to parse msg");
448 goto end;
449 }
450 pa = (struct isakmp_parse_t *)pbuf->v;
451
452 /* HASH payload is fixed postion */
453 if (pa->type != ISAKMP_NPTYPE_HASH) {
454 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
455 "received invalid next payload type %d, "
456 "expecting %d.\n",
457 pa->type, ISAKMP_NPTYPE_HASH);
458 goto end;
459 }
460 hash = (struct isakmp_pl_hash *)pa->ptr;
461 pa++;
462
463 /*
464 * this restriction was introduced in isakmp-oakley-05.
465 * we do not check this for backward compatibility.
466 * TODO: command line/config file option to enable/disable this code
467 */
468 /* HASH payload is fixed postion */
469 if (pa->type != ISAKMP_NPTYPE_SA) {
470 plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
471 "received invalid next payload type %d, "
472 "expecting %d.\n",
473 pa->type, ISAKMP_NPTYPE_HASH);
474 }
475
476 /* allocate buffer for computing HASH(2) */
477 tlen = iph2->nonce->l
478 + ntohl(isakmp->len) - sizeof(*isakmp);
479 if (tlen < 0) {
480 plog(LLV_ERROR, LOCATION, NULL,
481 "invalid length (%d,%d) while getting hash buffer.\n",
482 iph2->nonce->l, ntohl(isakmp->len));
483 goto end;
484 }
485 hbuf = vmalloc(tlen);
486 if (hbuf == NULL) {
487 plog(LLV_ERROR, LOCATION, NULL,
488 "failed to get hash buffer.\n");
489 goto end;
490 }
491 p = hbuf->v + iph2->nonce->l; /* retain the space for Ni_b */
492
493 /*
494 * parse the payloads.
495 * copy non-HASH payloads into hbuf, so that we can validate HASH.
496 */
497 iph2->sa_ret = NULL;
498 f_id = 0; /* flag to use checking ID */
499 tlen = 0; /* count payload length except of HASH payload. */
500 for (; pa->type; pa++) {
501
502 /* copy to buffer for HASH */
503 /* Don't modify the payload */
504 memcpy(p, pa->ptr, pa->len);
505
506 switch (pa->type) {
507 case ISAKMP_NPTYPE_SA:
508 if (iph2->sa_ret != NULL) {
509 plog(LLV_ERROR, LOCATION, NULL,
510 "Ignored, multiple SA "
511 "isn't supported.\n");
512 break;
513 }
514 if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) {
515 plog(LLV_ERROR, LOCATION, NULL,
516 "failed to process SA payload");
517 goto end;
518 }
519 break;
520
521 case ISAKMP_NPTYPE_NONCE:
522 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
523 plog(LLV_ERROR, LOCATION, NULL,
524 "failed to process NONCE payload");
525 goto end;
526 }
527 break;
528
529 case ISAKMP_NPTYPE_KE:
530 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
531 plog(LLV_ERROR, LOCATION, NULL,
532 "failed to process KE payload");
533 goto end;
534 }
535 break;
536
537 case ISAKMP_NPTYPE_ID:
538 {
539 vchar_t *vp;
540
541 /* check ID value */
542 if (f_id == 0) {
543 /* for IDci */
544 vp = iph2->id;
545 } else {
546 /* for IDcr */
547 vp = iph2->id_p;
548 }
549
550 /* These ids may not match when natt is used with some devices.
551 * RFC 2407 says that the protocol and port fields should be ignored
552 * if they are zero, therefore they need to be checked individually.
553 */
554 struct ipsecdoi_id_b *id_ptr = (struct ipsecdoi_id_b *)vp->v;
555 struct ipsecdoi_pl_id *idp_ptr = (struct ipsecdoi_pl_id *)pa->ptr;
556
557 if (id_ptr->type != idp_ptr->b.type
558 || (idp_ptr->b.proto_id != 0 && idp_ptr->b.proto_id != id_ptr->proto_id)
559 || (idp_ptr->b.port != 0 && idp_ptr->b.port != id_ptr->port)
560 || memcmp(vp->v + sizeof(struct ipsecdoi_id_b), (caddr_t)pa->ptr + sizeof(struct ipsecdoi_pl_id),
561 vp->l - sizeof(struct ipsecdoi_id_b))) {
562 // to support servers that use our external nat address as our ID
563 if (iph2->ph1->natt_flags & NAT_DETECTED) {
564 plog(LLV_WARNING, LOCATION, NULL,
565 "mismatched ID was returned - ignored because nat traversal is being used.\n");
566 /* If I'm behind a nat and the ID is type address - save the address
567 * and port for when the peer rekeys.
568 */
569 if (f_id == 0 && (iph2->ph1->natt_flags & NAT_DETECTED_ME)) {
570 if (lcconf->ext_nat_id)
571 vfree(lcconf->ext_nat_id);
572 if (idp_ptr->h.len < sizeof(struct isakmp_gen)) {
573 plog(LLV_ERROR, LOCATION, NULL, "invalid length (%d) while allocating external nat id.\n", idp_ptr->h.len);
574 goto end;
575 }
576 lcconf->ext_nat_id = vmalloc(ntohs(idp_ptr->h.len) - sizeof(struct isakmp_gen));
577 if (lcconf->ext_nat_id == NULL) {
578 plog(LLV_ERROR, LOCATION, NULL, "memory error while allocating external nat id.\n");
579 goto end;
580 }
581 memcpy(lcconf->ext_nat_id->v, &(idp_ptr->b), lcconf->ext_nat_id->l);
582 if (iph2->ext_nat_id)
583 vfree(iph2->ext_nat_id);
584 iph2->ext_nat_id = vdup(lcconf->ext_nat_id);
585 if (iph2->ext_nat_id == NULL) {
586 plog(LLV_ERROR, LOCATION, NULL, "memory error while allocating ph2's external nat id.\n");
587 goto end;
588 }
589 plog(LLV_DEBUG, LOCATION, NULL, "external nat address saved.\n");
590 plogdump(LLV_DEBUG, iph2->ext_nat_id->v, iph2->ext_nat_id->l);
591 } else if (f_id && (iph2->ph1->natt_flags & NAT_DETECTED_PEER)) {
592 if (iph2->ext_nat_id_p)
593 vfree(iph2->ext_nat_id_p);
594 iph2->ext_nat_id_p = vmalloc(ntohs(idp_ptr->h.len) - sizeof(struct isakmp_gen));
595 if (iph2->ext_nat_id_p == NULL) {
596 plog(LLV_ERROR, LOCATION, NULL, "memory error while allocating peers ph2's external nat id.\n");
597 goto end;
598 }
599 memcpy(iph2->ext_nat_id_p->v, &(idp_ptr->b), iph2->ext_nat_id_p->l);
600 plog(LLV_DEBUG, LOCATION, NULL, "peer's external nat address saved.\n");
601 plogdump(LLV_DEBUG, iph2->ext_nat_id_p->v, iph2->ext_nat_id_p->l);
602 }
603 } else {
604 plog(LLV_ERROR, LOCATION, NULL, "mismatched ID was returned.\n");
605 error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
606 goto end;
607 }
608 }
609 if (f_id == 0)
610 f_id = 1;
611 }
612 break;
613
614 case ISAKMP_NPTYPE_N:
615 isakmp_check_ph2_notify(pa->ptr, iph2);
616 break;
617
618 #ifdef ENABLE_NATT
619 case ISAKMP_NPTYPE_NATOA_DRAFT:
620 case ISAKMP_NPTYPE_NATOA_BADDRAFT:
621 case ISAKMP_NPTYPE_NATOA_RFC:
622 {
623 vchar_t *vp = NULL;
624 struct sockaddr *daddr;
625
626 isakmp_p2ph(&vp, pa->ptr);
627
628 if (vp) {
629 daddr = process_natoa_payload(vp);
630 if (daddr) {
631 if (natoa_i == NULL) {
632 natoa_i = daddr;
633 plog(LLV_DEBUG, LOCATION, NULL, "initiaor rcvd NAT-OA i: %s\n",
634 saddr2str(natoa_i));
635 } else if (natoa_r == NULL) {
636 natoa_r = daddr;
637 plog(LLV_DEBUG, LOCATION, NULL, "initiator rcvd NAT-OA r: %s\n",
638 saddr2str(natoa_r));
639 } else {
640 racoon_free(daddr);
641 }
642 }
643 vfree(vp);
644 }
645
646 }
647 break;
648 #endif
649
650 default:
651 /* don't send information, see ident_r1recv() */
652 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
653 "ignore the packet, "
654 "received unexpecting payload type %d.\n",
655 pa->type);
656 goto end;
657 }
658
659 p += pa->len;
660
661 /* compute true length of payload. */
662 tlen += pa->len;
663 }
664
665 /* payload existency check */
666 if (hash == NULL || iph2->sa_ret == NULL || iph2->nonce_p == NULL) {
667 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
668 "few isakmp message received.\n");
669 goto end;
670 }
671
672 /* Fixed buffer for calculating HASH */
673 memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l);
674 plog(LLV_DEBUG, LOCATION, NULL,
675 "HASH allocated:hbuf->l=%zu actual:tlen=%zu\n",
676 hbuf->l, tlen + iph2->nonce->l);
677 /* adjust buffer length for HASH */
678 hbuf->l = iph2->nonce->l + tlen;
679
680 /* validate HASH(2) */
681 {
682 char *r_hash;
683 vchar_t *my_hash = NULL;
684 int result;
685
686 r_hash = (char *)hash + sizeof(*hash);
687
688 plog(LLV_DEBUG, LOCATION, NULL, "HASH(2) received:");
689 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
690
691 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
692 if (my_hash == NULL) {
693 plog(LLV_ERROR, LOCATION, NULL,
694 "failed to compute HASH");
695 goto end;
696 }
697
698 result = memcmp(my_hash->v, r_hash, my_hash->l);
699 vfree(my_hash);
700
701 if (result) {
702 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
703 "HASH(2) mismatch.\n");
704 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
705 goto end;
706 }
707 }
708
709 /* validity check SA payload sent from responder */
710 if (ipsecdoi_checkph2proposal(iph2) < 0) {
711 plog(LLV_ERROR, LOCATION, NULL,
712 "failed to validate SA proposal");
713 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
714 goto end;
715 }
716
717 /* change status of isakmp status entry */
718 iph2->status = PHASE2ST_STATUS6;
719
720 error = 0;
721
722 IPSECSESSIONTRACEREVENT(iph2->parent_session,
723 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
724 CONSTSTR("Initiator, Quick-Mode message 2"),
725 CONSTSTR(NULL));
726
727 end:
728 if (error) {
729 IPSECSESSIONTRACEREVENT(iph2->parent_session,
730 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
731 CONSTSTR("Initiator, Quick-Mode Message 2"),
732 CONSTSTR("Failed to process Quick-Mode Message 2 "));
733 }
734 if (hbuf)
735 vfree(hbuf);
736 if (pbuf)
737 vfree(pbuf);
738 if (msg)
739 vfree(msg);
740
741 #ifdef ENABLE_NATT
742 if (natoa_i) {
743 racoon_free(natoa_i);
744 }
745 if (natoa_r) {
746 racoon_free(natoa_r);
747 }
748 #endif
749
750 if (error) {
751 VPTRINIT(iph2->sa_ret);
752 VPTRINIT(iph2->nonce_p);
753 VPTRINIT(iph2->dhpub_p);
754 VPTRINIT(iph2->id);
755 VPTRINIT(iph2->id_p);
756 }
757
758 return error;
759 }
760
761 /*
762 * send to responder
763 * HDR*, HASH(3)
764 */
765 int
766 quick_i2send(iph2, msg0)
767 struct ph2handle *iph2;
768 vchar_t *msg0;
769 {
770 vchar_t *msg = NULL;
771 vchar_t *buf = NULL;
772 vchar_t *hash = NULL;
773 char *p = NULL;
774 int tlen;
775 int error = ISAKMP_INTERNAL_ERROR;
776 int packet_error = -1;
777
778 /* validity check */
779 if (iph2->status != PHASE2ST_STATUS6) {
780 plog(LLV_ERROR, LOCATION, NULL,
781 "status mismatched %d.\n", iph2->status);
782 goto end;
783 }
784
785 /* generate HASH(3) */
786 {
787 vchar_t *tmp = NULL;
788
789 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) generate\n");
790
791 tmp = vmalloc(iph2->nonce->l + iph2->nonce_p->l);
792 if (tmp == NULL) {
793 plog(LLV_ERROR, LOCATION, NULL,
794 "failed to get hash buffer.\n");
795 goto end;
796 }
797 memcpy(tmp->v, iph2->nonce->v, iph2->nonce->l);
798 memcpy(tmp->v + iph2->nonce->l, iph2->nonce_p->v, iph2->nonce_p->l);
799
800 hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
801 vfree(tmp);
802
803 if (hash == NULL) {
804 plog(LLV_ERROR, LOCATION, NULL,
805 "failed to compute HASH");
806 goto end;
807 }
808 }
809
810 /* create buffer for isakmp payload */
811 tlen = sizeof(struct isakmp)
812 + sizeof(struct isakmp_gen) + hash->l;
813 buf = vmalloc(tlen);
814 if (buf == NULL) {
815 plog(LLV_ERROR, LOCATION, NULL,
816 "failed to get buffer to send.\n");
817 goto end;
818 }
819
820 /* create isakmp header */
821 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
822 if (p == NULL) {
823 plog(LLV_ERROR, LOCATION, NULL,
824 "failed to create ISAKMP header");
825 goto end;
826 }
827
828 /* add HASH(3) payload */
829 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_NONE);
830
831 #ifdef HAVE_PRINT_ISAKMP_C
832 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
833 #endif
834
835 /* encoding */
836 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
837 if (iph2->sendbuf == NULL) {
838 plog(LLV_ERROR, LOCATION, NULL,
839 "failed to encrypt packet");
840 goto end;
841 }
842
843 /* if there is commit bit, need resending */
844 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
845 /* send the packet, add to the schedule to resend */
846 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
847 if (isakmp_ph2resend(iph2) == -1) {
848 plog(LLV_ERROR, LOCATION, NULL,
849 "failed to send packet, commit-bit");
850 goto end;
851 }
852 } else {
853 /* send the packet */
854 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
855 plog(LLV_ERROR, LOCATION, NULL,
856 "failed to send packet");
857 goto end;
858 }
859 }
860
861 /* the sending message is added to the received-list. */
862 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local,
863 iph2->sendbuf, msg0,
864 PH2_NON_ESP_EXTRA_LEN(iph2), PH2_FRAG_FLAGS(iph2)) == -1) {
865 plog(LLV_ERROR , LOCATION, NULL,
866 "failed to add a response packet to the tree.\n");
867 goto end;
868 }
869
870 IPSECSESSIONTRACEREVENT(iph2->parent_session,
871 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
872 CONSTSTR("Initiator, Quick-Mode message 3"),
873 CONSTSTR(NULL));
874 packet_error = 0;
875
876 /* compute both of KEYMATs */
877 if (oakley_compute_keymat(iph2, INITIATOR) < 0) {
878 plog(LLV_ERROR, LOCATION, NULL,
879 "failed to compute KEYMAT");
880 goto end;
881 }
882
883 iph2->status = PHASE2ST_ADDSA;
884
885 /* don't anything if local test mode. */
886 if (f_local) {
887 error = 0;
888 goto end;
889 }
890
891 /* if there is commit bit don't set up SA now. */
892 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
893 iph2->status = PHASE2ST_COMMIT;
894 error = 0;
895 goto end;
896 }
897
898 /* Do UPDATE for initiator */
899 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
900 if (pk_sendupdate(iph2) < 0) {
901 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
902 goto end;
903 }
904 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
905
906 /* Do ADD for responder */
907 if (pk_sendadd(iph2) < 0) {
908 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
909 goto end;
910 }
911 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
912
913 error = 0;
914
915 end:
916 if (packet_error) {
917 IPSECSESSIONTRACEREVENT(iph2->parent_session,
918 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
919 CONSTSTR("Initiator, Quick-Mode Message 3"),
920 CONSTSTR("Failed to transmit Quick-Mode Message 3"));
921 }
922 if (buf != NULL)
923 vfree(buf);
924 if (msg != NULL)
925 vfree(msg);
926 if (hash != NULL)
927 vfree(hash);
928
929 return error;
930 }
931
932 /*
933 * receive from responder
934 * HDR#*, HASH(4), notify
935 */
936 int
937 quick_i3recv(iph2, msg0)
938 struct ph2handle *iph2;
939 vchar_t *msg0;
940 {
941 vchar_t *msg = NULL;
942 vchar_t *pbuf = NULL; /* for payload parsing */
943 struct isakmp_parse_t *pa;
944 struct isakmp_pl_hash *hash = NULL;
945 vchar_t *notify = NULL;
946 int error = ISAKMP_INTERNAL_ERROR;
947 int packet_error = -1;
948
949 /* validity check */
950 if (iph2->status != PHASE2ST_COMMIT) {
951 plog(LLV_ERROR, LOCATION, NULL,
952 "status mismatched %d.\n", iph2->status);
953 goto end;
954 }
955
956 /* decrypt packet */
957 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
958 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
959 "Packet wasn't encrypted.\n");
960 goto end;
961 }
962 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
963 if (msg == NULL) {
964 plog(LLV_ERROR, LOCATION, NULL,
965 "failed to decrypt packet\n");
966 goto end;
967 }
968
969 /* validate the type of next payload */
970 pbuf = isakmp_parse(msg);
971 if (pbuf == NULL) {
972 plog(LLV_ERROR, LOCATION, NULL,
973 "failed to parse msg\n");
974 goto end;
975 }
976
977 for (pa = (struct isakmp_parse_t *)pbuf->v;
978 pa->type != ISAKMP_NPTYPE_NONE;
979 pa++) {
980
981 switch (pa->type) {
982 case ISAKMP_NPTYPE_HASH:
983 hash = (struct isakmp_pl_hash *)pa->ptr;
984 break;
985 case ISAKMP_NPTYPE_N:
986 if (notify != NULL) {
987 plog(LLV_WARNING, LOCATION, NULL,
988 "Ignoring multiple notifications\n");
989 break;
990 }
991 isakmp_check_ph2_notify(pa->ptr, iph2);
992 notify = vmalloc(pa->len);
993 if (notify == NULL) {
994 plog(LLV_ERROR, LOCATION, NULL,
995 "failed to get notify buffer.\n");
996 goto end;
997 }
998 memcpy(notify->v, pa->ptr, notify->l);
999 break;
1000 default:
1001 /* don't send information, see ident_r1recv() */
1002 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1003 "ignore the packet, "
1004 "received unexpecting payload type %d.\n",
1005 pa->type);
1006 goto end;
1007 }
1008 }
1009
1010 /* payload existency check */
1011 if (hash == NULL) {
1012 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1013 "few isakmp message received.\n");
1014 goto end;
1015 }
1016
1017 /* validate HASH(4) */
1018 {
1019 char *r_hash;
1020 vchar_t *my_hash = NULL;
1021 vchar_t *tmp = NULL;
1022 int result;
1023
1024 r_hash = (char *)hash + sizeof(*hash);
1025
1026 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) validate:");
1027 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1028
1029 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
1030 vfree(tmp);
1031 if (my_hash == NULL) {
1032 plog(LLV_ERROR, LOCATION, NULL,
1033 "failed to compute HASH\n");
1034 goto end;
1035 }
1036
1037 result = memcmp(my_hash->v, r_hash, my_hash->l);
1038 vfree(my_hash);
1039
1040 if (result) {
1041 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
1042 "HASH(4) mismatch.\n");
1043 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1044 goto end;
1045 }
1046 }
1047
1048 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1049 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1050 CONSTSTR("Initiator, Quick-Mode message 4"),
1051 CONSTSTR(NULL));
1052 packet_error = 0;
1053
1054 iph2->status = PHASE2ST_ADDSA;
1055 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
1056
1057 /* don't anything if local test mode. */
1058 if (f_local) {
1059 error = 0;
1060 goto end;
1061 }
1062
1063 /* Do UPDATE for initiator */
1064 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
1065 if (pk_sendupdate(iph2) < 0) {
1066 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
1067 goto end;
1068 }
1069 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
1070
1071 /* Do ADD for responder */
1072 if (pk_sendadd(iph2) < 0) {
1073 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
1074 goto end;
1075 }
1076 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
1077
1078 error = 0;
1079
1080 end:
1081 if (packet_error) {
1082 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1083 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1084 CONSTSTR("Initiator, Quick-Mode Message 4"),
1085 CONSTSTR("Failed to process Quick-Mode Message 4"));
1086 }
1087 if (msg != NULL)
1088 vfree(msg);
1089 if (pbuf != NULL)
1090 vfree(pbuf);
1091 if (notify != NULL)
1092 vfree(notify);
1093
1094 return error;
1095 }
1096
1097 /*
1098 * receive from initiator
1099 * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
1100 */
1101 int
1102 quick_r1recv(iph2, msg0)
1103 struct ph2handle *iph2;
1104 vchar_t *msg0;
1105 {
1106 vchar_t *msg = NULL;
1107 vchar_t *hbuf = NULL; /* for hash computing. */
1108 vchar_t *pbuf = NULL; /* for payload parsing */
1109 struct isakmp_parse_t *pa;
1110 struct isakmp *isakmp = (struct isakmp *)msg0->v;
1111 struct isakmp_pl_hash *hash = NULL;
1112 char *p;
1113 int tlen;
1114 int f_id_order; /* for ID payload detection */
1115 int error = ISAKMP_INTERNAL_ERROR;
1116 struct sockaddr *natoa_i = NULL;
1117 struct sockaddr *natoa_r = NULL;
1118
1119 /* validity check */
1120 if (iph2->status != PHASE2ST_START) {
1121 plog(LLV_ERROR, LOCATION, NULL,
1122 "status mismatched %d.\n", iph2->status);
1123 goto end;
1124 }
1125
1126 /* decrypting */
1127 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1128 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1129 "Packet wasn't encrypted.\n");
1130 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1131 goto end;
1132 }
1133 /* decrypt packet */
1134 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
1135 if (msg == NULL) {
1136 plog(LLV_ERROR, LOCATION, NULL,
1137 "failed to decrypt packet\n");
1138 goto end;
1139 }
1140
1141 /* create buffer for using to validate HASH(1) */
1142 /*
1143 * ordering rule:
1144 * 1. the first one must be HASH
1145 * 2. the second one must be SA (added in isakmp-oakley-05!)
1146 * 3. two IDs must be considered as IDci, then IDcr
1147 */
1148 pbuf = isakmp_parse(msg);
1149 if (pbuf == NULL) {
1150 plog(LLV_ERROR, LOCATION, NULL,
1151 "failed to parse msg\n");
1152 goto end;
1153 }
1154 pa = (struct isakmp_parse_t *)pbuf->v;
1155
1156 /* HASH payload is fixed postion */
1157 if (pa->type != ISAKMP_NPTYPE_HASH) {
1158 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1159 "received invalid next payload type %d, "
1160 "expecting %d.\n",
1161 pa->type, ISAKMP_NPTYPE_HASH);
1162 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
1163 goto end;
1164 }
1165 hash = (struct isakmp_pl_hash *)pa->ptr;
1166 pa++;
1167
1168 /*
1169 * this restriction was introduced in isakmp-oakley-05.
1170 * we do not check this for backward compatibility.
1171 * TODO: command line/config file option to enable/disable this code
1172 */
1173 /* HASH payload is fixed postion */
1174 if (pa->type != ISAKMP_NPTYPE_SA) {
1175 plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
1176 "received invalid next payload type %d, "
1177 "expecting %d.\n",
1178 pa->type, ISAKMP_NPTYPE_SA);
1179 error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
1180 }
1181
1182 /* allocate buffer for computing HASH(1) */
1183 tlen = ntohl(isakmp->len) - sizeof(*isakmp);
1184 if (tlen < 0) {
1185 plog(LLV_ERROR, LOCATION, NULL, "invalid length (%d) while extracting hash.\n",
1186 ntohl(isakmp->len));
1187 goto end;
1188 }
1189 hbuf = vmalloc(tlen);
1190 if (hbuf == NULL) {
1191 plog(LLV_ERROR, LOCATION, NULL,
1192 "failed to get hash buffer.\n");
1193 goto end;
1194 }
1195 p = hbuf->v;
1196
1197 /*
1198 * parse the payloads.
1199 * copy non-HASH payloads into hbuf, so that we can validate HASH.
1200 */
1201 iph2->sa = NULL; /* we don't support multi SAs. */
1202 iph2->nonce_p = NULL;
1203 iph2->dhpub_p = NULL;
1204 iph2->id_p = NULL;
1205 iph2->id = NULL;
1206 tlen = 0; /* count payload length except of HASH payload. */
1207
1208 /*
1209 * IDi2 MUST be immediatelly followed by IDr2. We allowed the
1210 * illegal case, but logged. First ID payload is to be IDi2.
1211 * And next ID payload is to be IDr2.
1212 */
1213 f_id_order = 0;
1214
1215 for (; pa->type; pa++) {
1216
1217 /* copy to buffer for HASH */
1218 /* Don't modify the payload */
1219 memcpy(p, pa->ptr, pa->len);
1220
1221 if (pa->type != ISAKMP_NPTYPE_ID)
1222 f_id_order = 0;
1223
1224 switch (pa->type) {
1225 case ISAKMP_NPTYPE_SA:
1226 if (iph2->sa != NULL) {
1227 plog(LLV_ERROR, LOCATION, NULL,
1228 "Multi SAs isn't supported.\n");
1229 goto end;
1230 }
1231 if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) {
1232 plog(LLV_ERROR, LOCATION, NULL,
1233 "failed to process SA payload\n");
1234 goto end;
1235 }
1236 break;
1237
1238 case ISAKMP_NPTYPE_NONCE:
1239 if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
1240 plog(LLV_ERROR, LOCATION, NULL,
1241 "failed to process NONCE payload\n");
1242 goto end;
1243 }
1244 break;
1245
1246 case ISAKMP_NPTYPE_KE:
1247 if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
1248 plog(LLV_ERROR, LOCATION, NULL,
1249 "failed to process KE payload\n");
1250 goto end;
1251 }
1252 break;
1253
1254 case ISAKMP_NPTYPE_ID:
1255 if (iph2->id_p == NULL) {
1256 /* for IDci */
1257 f_id_order++;
1258
1259 if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0) {
1260 plog(LLV_ERROR, LOCATION, NULL,
1261 "failed to process IDci2 payload\n");
1262 goto end;
1263 }
1264
1265 } else if (iph2->id == NULL) {
1266 /* for IDcr */
1267 if (f_id_order == 0) {
1268 plog(LLV_ERROR, LOCATION, NULL,
1269 "IDr2 payload is not "
1270 "immediatelly followed "
1271 "by IDi2. We allowed.\n");
1272 /* XXX we allowed in this case. */
1273 }
1274
1275 if (isakmp_p2ph(&iph2->id, pa->ptr) < 0) {
1276 plog(LLV_ERROR, LOCATION, NULL,
1277 "failed to process IDcr2 payload\n");
1278 goto end;
1279 }
1280 } else {
1281 plog(LLV_ERROR, LOCATION, NULL,
1282 "received too many ID payloads.\n");
1283 plogdump(LLV_ERROR, iph2->id->v, iph2->id->l);
1284 error = ISAKMP_NTYPE_INVALID_ID_INFORMATION;
1285 goto end;
1286 }
1287 break;
1288
1289 case ISAKMP_NPTYPE_N:
1290 isakmp_check_ph2_notify(pa->ptr, iph2);
1291 break;
1292
1293 #ifdef ENABLE_NATT
1294 case ISAKMP_NPTYPE_NATOA_DRAFT:
1295 case ISAKMP_NPTYPE_NATOA_BADDRAFT:
1296 case ISAKMP_NPTYPE_NATOA_RFC:
1297 {
1298 vchar_t *vp = NULL;
1299 struct sockaddr *daddr;
1300
1301 isakmp_p2ph(&vp, pa->ptr);
1302
1303 if (vp) {
1304 daddr = process_natoa_payload(vp);
1305 if (daddr) {
1306 if (natoa_i == NULL) {
1307 natoa_i = daddr;
1308 plog(LLV_DEBUG, LOCATION, NULL, "responder rcvd NAT-OA i: %s\n",
1309 saddr2str(natoa_i));
1310 } else if (natoa_r == NULL) {
1311 natoa_r = daddr;
1312 plog(LLV_DEBUG, LOCATION, NULL, "responder rcvd NAT-OA r: %s\n",
1313 saddr2str(natoa_r));
1314 } else {
1315 racoon_free(daddr);
1316 }
1317 }
1318 vfree(vp);
1319 }
1320
1321 }
1322 break;
1323 #endif
1324
1325 default:
1326 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1327 "ignore the packet, "
1328 "received unexpected payload type %d.\n",
1329 pa->type);
1330 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1331 goto end;
1332 }
1333
1334 p += pa->len;
1335
1336 /* compute true length of payload. */
1337 tlen += pa->len;
1338 }
1339
1340 /* payload existency check */
1341 if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) {
1342 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1343 "expected isakmp payloads missing.\n");
1344 error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
1345 goto end;
1346 }
1347
1348 if (iph2->id_p) {
1349 plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:");
1350 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
1351 }
1352 if (iph2->id) {
1353 plog(LLV_DEBUG, LOCATION, NULL, "received IDcr2:");
1354 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
1355 }
1356
1357 /* adjust buffer length for HASH */
1358 hbuf->l = tlen;
1359
1360 /* validate HASH(1) */
1361 {
1362 char *r_hash;
1363 vchar_t *my_hash = NULL;
1364 int result;
1365
1366 r_hash = (caddr_t)hash + sizeof(*hash);
1367
1368 plog(LLV_DEBUG, LOCATION, NULL, "HASH(1) validate:");
1369 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1370
1371 my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
1372 if (my_hash == NULL) {
1373 plog(LLV_ERROR, LOCATION, NULL,
1374 "failed to compute HASH\n");
1375 goto end;
1376 }
1377
1378 result = memcmp(my_hash->v, r_hash, my_hash->l);
1379 vfree(my_hash);
1380
1381 if (result) {
1382 plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
1383 "HASH(1) mismatch.\n");
1384 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1385 goto end;
1386 }
1387 }
1388
1389 /* get sainfo */
1390 error = get_sainfo_r(iph2);
1391 if (error) {
1392 plog(LLV_ERROR, LOCATION, NULL,
1393 "failed to get sainfo.\n");
1394 goto end;
1395 }
1396
1397 /* check the existence of ID payload and create responder's proposal */
1398 error = get_proposal_r(iph2);
1399 switch (error) {
1400 case -2:
1401 /* generate a policy template from peer's proposal */
1402 if (set_proposal_from_proposal(iph2)) {
1403 plog(LLV_ERROR, LOCATION, NULL,
1404 "failed to generate a proposal template "
1405 "from client's proposal.\n");
1406 return ISAKMP_INTERNAL_ERROR;
1407 }
1408 /*FALLTHROUGH*/
1409 case 0:
1410 /* select single proposal or reject it. */
1411 if (ipsecdoi_selectph2proposal(iph2) < 0) {
1412 plog(LLV_ERROR, LOCATION, NULL,
1413 "failed to select proposal.\n");
1414 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1415 goto end;
1416 }
1417 break;
1418 default:
1419 plog(LLV_ERROR, LOCATION, NULL,
1420 "failed to get proposal for responder.\n");
1421 goto end;
1422 }
1423
1424 /* check KE and attribute of PFS */
1425 if (iph2->dhpub_p != NULL && iph2->approval->pfs_group == 0) {
1426 plog(LLV_ERROR, LOCATION, NULL,
1427 "no PFS is specified, but peer sends KE.\n");
1428 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1429 goto end;
1430 }
1431 if (iph2->dhpub_p == NULL && iph2->approval->pfs_group != 0) {
1432 plog(LLV_ERROR, LOCATION, NULL,
1433 "PFS is specified, but peer doesn't sends KE.\n");
1434 error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
1435 goto end;
1436 }
1437
1438 ike_session_update_mode(iph2); /* update the mode, now that we have a proposal */
1439
1440 /*
1441 * save the packet from the initiator in order to resend the
1442 * responder's first packet against this packet.
1443 */
1444 iph2->msg1 = vdup(msg0);
1445
1446 /* change status of isakmp status entry */
1447 iph2->status = PHASE2ST_STATUS2;
1448
1449 error = 0;
1450
1451 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1452 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1453 CONSTSTR("Responder, Quick-Mode message 1"),
1454 CONSTSTR(NULL));
1455
1456 end:
1457 if (error) {
1458 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1459 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1460 CONSTSTR("Responder, Quick-Mode Message 1"),
1461 CONSTSTR("Failed to process Quick-Mode Message 1"));
1462 }
1463 if (hbuf)
1464 vfree(hbuf);
1465 if (msg)
1466 vfree(msg);
1467 if (pbuf)
1468 vfree(pbuf);
1469
1470 #ifdef ENABLE_NATT
1471 if (natoa_i) {
1472 racoon_free(natoa_i);
1473 }
1474 if (natoa_r) {
1475 racoon_free(natoa_r);
1476 }
1477 #endif
1478
1479 if (error) {
1480 VPTRINIT(iph2->sa);
1481 VPTRINIT(iph2->nonce_p);
1482 VPTRINIT(iph2->dhpub_p);
1483 VPTRINIT(iph2->id);
1484 VPTRINIT(iph2->id_p);
1485 }
1486
1487 return error;
1488 }
1489
1490 /*
1491 * call pfkey_getspi.
1492 */
1493 int
1494 quick_r1prep(iph2, msg)
1495 struct ph2handle *iph2;
1496 vchar_t *msg;
1497 {
1498 int error = ISAKMP_INTERNAL_ERROR;
1499
1500 /* validity check */
1501 if (iph2->status != PHASE2ST_STATUS2) {
1502 plog(LLV_ERROR, LOCATION, NULL,
1503 "status mismatched %d.\n", iph2->status);
1504 goto end;
1505 }
1506
1507 iph2->status = PHASE2ST_GETSPISENT;
1508
1509 /* send getspi message */
1510 if (pk_sendgetspi(iph2) < 0) {
1511 plog(LLV_ERROR, LOCATION, NULL,
1512 "failed to send getspi");
1513 goto end;
1514 }
1515
1516 plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
1517
1518 iph2->sce = sched_new(lcconf->wait_ph2complete,
1519 pfkey_timeover_stub, iph2);
1520
1521 error = 0;
1522
1523 end:
1524 return error;
1525 }
1526
1527 /*
1528 * send to initiator
1529 * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] [, NAT-OAi, NAT-OAr ]
1530 */
1531 int
1532 quick_r2send(iph2, msg)
1533 struct ph2handle *iph2;
1534 vchar_t *msg;
1535 {
1536 vchar_t *body = NULL;
1537 vchar_t *hash = NULL;
1538 vchar_t *natoa_i = NULL;
1539 vchar_t *natoa_r = NULL;
1540 int natoa_type = 0;
1541 struct isakmp_gen *gen;
1542 char *p;
1543 int tlen;
1544 int error = ISAKMP_INTERNAL_ERROR;
1545 int pfsgroup;
1546 u_int8_t *np_p = NULL;
1547
1548 /* validity check */
1549 if (msg != NULL) {
1550 plog(LLV_ERROR, LOCATION, NULL,
1551 "msg has to be NULL in this function.\n");
1552 goto end;
1553 }
1554 if (iph2->status != PHASE2ST_GETSPIDONE) {
1555 plog(LLV_ERROR, LOCATION, NULL,
1556 "status mismatched %d.\n", iph2->status);
1557 goto end;
1558 }
1559
1560 /* update responders SPI */
1561 if (ipsecdoi_updatespi(iph2) < 0) {
1562 plog(LLV_ERROR, LOCATION, NULL, "failed to update spi.\n");
1563 goto end;
1564 }
1565
1566 /* generate NONCE value */
1567 iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
1568 if (iph2->nonce == NULL) {
1569 plog(LLV_ERROR, LOCATION, NULL,
1570 "failed to generate NONCE");
1571 goto end;
1572 }
1573
1574 /* generate KE value if need */
1575 pfsgroup = iph2->approval->pfs_group;
1576 if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1577 /* DH group settting if PFS is required. */
1578 if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
1579 plog(LLV_ERROR, LOCATION, NULL,
1580 "failed to set DH value.\n");
1581 goto end;
1582 }
1583 /* generate DH public value */
1584 #ifdef HAVE_OPENSSL
1585 if (oakley_dh_generate(iph2->pfsgrp,
1586 &iph2->dhpub, &iph2->dhpriv) < 0) {
1587 #else
1588 if (oakley_dh_generate(iph2->pfsgrp,
1589 &iph2->dhpub, &iph2->publicKeySize, &iph2->dhC) < 0) {
1590 #endif
1591 plog(LLV_ERROR, LOCATION, NULL,
1592 "failed to generate DH public");
1593 goto end;
1594 }
1595 }
1596
1597 /* create SA;NONCE payload, and KE and ID if need */
1598 tlen = sizeof(*gen) + iph2->sa_ret->l
1599 + sizeof(*gen) + iph2->nonce->l;
1600 if (iph2->dhpub_p != NULL && pfsgroup != 0)
1601 tlen += (sizeof(*gen) + iph2->dhpub->l);
1602 if (iph2->id_p != NULL)
1603 tlen += (sizeof(*gen) + iph2->id_p->l
1604 + sizeof(*gen) + iph2->id->l);
1605
1606 #ifdef ENABLE_NATT
1607 /*
1608 * RFC3947 5.2. if we chose UDP-Encapsulated-Transport
1609 * we should send NAT-OA
1610 */
1611 if (ipsecdoi_any_transportmode(iph2->approval)
1612 && (iph2->ph1->natt_flags & NAT_DETECTED)) {
1613 natoa_type = create_natoa_payloads(iph2, &natoa_i, &natoa_r);
1614 if (natoa_type == -1) {
1615 plog(LLV_ERROR, LOCATION, NULL,
1616 "failed to create NATOA payloads");
1617 goto end;
1618 }
1619 else if (natoa_type != 0) {
1620 tlen += sizeof(*gen) + natoa_i->l;
1621 tlen += sizeof(*gen) + natoa_r->l;
1622
1623 plog(LLV_DEBUG, LOCATION, NULL, "responder send NAT-OAi:\n");
1624 plogdump(LLV_DEBUG, natoa_i->v, natoa_i->l);
1625 plog(LLV_DEBUG, LOCATION, NULL, "responder send NAT-OAr:\n");
1626 plogdump(LLV_DEBUG, natoa_r->v, natoa_r->l);
1627 }
1628 }
1629 #endif
1630
1631 plog(LLV_DEBUG, LOCATION, NULL, "Approved SA\n");
1632 printsaprop0(LLV_DEBUG, iph2->approval);
1633
1634 body = vmalloc(tlen);
1635 if (body == NULL) {
1636 plog(LLV_ERROR, LOCATION, NULL,
1637 "failed to get buffer to send.\n");
1638 goto end;
1639 }
1640 p = body->v;
1641
1642 /* make SA payload */
1643 p = set_isakmp_payload(body->v, iph2->sa_ret, ISAKMP_NPTYPE_NONCE);
1644
1645 /* add NONCE payload */
1646 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1647 p = set_isakmp_payload(p, iph2->nonce,
1648 (iph2->dhpub_p != NULL && pfsgroup != 0)
1649 ? ISAKMP_NPTYPE_KE
1650 : (iph2->id_p != NULL
1651 ? ISAKMP_NPTYPE_ID
1652 : (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE)));
1653
1654 /* add KE payload if need. */
1655 if (iph2->dhpub_p != NULL && pfsgroup != 0) {
1656 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1657 p = set_isakmp_payload(p, iph2->dhpub,
1658 (iph2->id_p == NULL) ? (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE) : ISAKMP_NPTYPE_ID);
1659 }
1660
1661 /* add ID payloads received. */
1662 if (iph2->id_p != NULL) {
1663 /* IDci */
1664 p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID);
1665 plog(LLV_DEBUG, LOCATION, NULL, "sending IDci2:\n");
1666 plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
1667 /* IDcr */
1668 np_p = &((struct isakmp_gen *)p)->np; /* XXX */
1669 p = set_isakmp_payload(p, iph2->id, (natoa_type ? natoa_type : ISAKMP_NPTYPE_NONE));
1670 plog(LLV_DEBUG, LOCATION, NULL, "sending IDcr2:\n");
1671 plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
1672 }
1673
1674 /* add a RESPONDER-LIFETIME notify payload if needed */
1675 {
1676 vchar_t *data = NULL;
1677 struct saprop *pp = iph2->approval;
1678 struct saproto *pr;
1679
1680 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_SEC) {
1681 u_int32_t v = htonl((u_int32_t)pp->lifetime);
1682 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1683 IPSECDOI_ATTR_SA_LD_TYPE_SEC);
1684 if (!data) {
1685 plog(LLV_ERROR, LOCATION, NULL,
1686 "failed to add RESPONDER-LIFETIME notify (type) payload");
1687 goto end;
1688 }
1689 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1690 (caddr_t)&v, sizeof(v));
1691 if (!data) {
1692 plog(LLV_ERROR, LOCATION, NULL,
1693 "failed to add RESPONDER-LIFETIME notify (value) payload");
1694 goto end;
1695 }
1696 }
1697 if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_KB) {
1698 u_int32_t v = htonl((u_int32_t)pp->lifebyte);
1699 data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
1700 IPSECDOI_ATTR_SA_LD_TYPE_KB);
1701 if (!data) {
1702 plog(LLV_ERROR, LOCATION, NULL,
1703 "failed to add RESPONDER-LIFETIME notify (type) payload");
1704 goto end;
1705 }
1706 data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
1707 (caddr_t)&v, sizeof(v));
1708 if (!data) {
1709 plog(LLV_ERROR, LOCATION, NULL,
1710 "failed to add RESPONDER-LIFETIME notify (value) payload");
1711 goto end;
1712 }
1713 }
1714
1715 /*
1716 * XXX Is there only single RESPONDER-LIFETIME payload in a IKE message
1717 * in the case of SA bundle ?
1718 */
1719 if (data) {
1720 for (pr = pp->head; pr; pr = pr->next) {
1721 body = isakmp_add_pl_n(body, &np_p,
1722 ISAKMP_NTYPE_RESPONDER_LIFETIME, pr, data);
1723 if (!body) {
1724 plog(LLV_ERROR, LOCATION, NULL,
1725 "invalid RESPONDER-LIFETIME payload");
1726 vfree(data);
1727 return error; /* XXX */
1728 }
1729 }
1730 vfree(data);
1731 }
1732 }
1733
1734 /* natoa */
1735 if (natoa_type) {
1736 p = set_isakmp_payload(p, natoa_i, natoa_type);
1737 p = set_isakmp_payload(p, natoa_r, ISAKMP_NPTYPE_NONE);
1738 }
1739
1740 /* generate HASH(2) */
1741 {
1742 vchar_t *tmp;
1743
1744 tmp = vmalloc(iph2->nonce_p->l + body->l);
1745 if (tmp == NULL) {
1746 plog(LLV_ERROR, LOCATION, NULL,
1747 "failed to get hash buffer.\n");
1748 goto end;
1749 }
1750 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1751 memcpy(tmp->v + iph2->nonce_p->l, body->v, body->l);
1752
1753 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, tmp);
1754 vfree(tmp);
1755
1756 if (hash == NULL) {
1757 plog(LLV_ERROR, LOCATION, NULL,
1758 "failed to compute HASH");
1759 goto end;
1760 }
1761 }
1762
1763 /* send isakmp payload */
1764 iph2->sendbuf = quick_ir1mx(iph2, body, hash);
1765 if (iph2->sendbuf == NULL) {
1766 plog(LLV_ERROR, LOCATION, NULL,
1767 "failed to get send buffer");
1768 goto end;
1769 }
1770
1771 /* send the packet, add to the schedule to resend */
1772 iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
1773 if (isakmp_ph2resend(iph2) == -1) {
1774 plog(LLV_ERROR, LOCATION, NULL,
1775 "failed to send packet");
1776 goto end;
1777 }
1778
1779 /* the sending message is added to the received-list. */
1780 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1,
1781 PH2_NON_ESP_EXTRA_LEN(iph2), PH2_FRAG_FLAGS(iph2)) == -1) {
1782 plog(LLV_ERROR , LOCATION, NULL,
1783 "failed to add a response packet to the tree.\n");
1784 goto end;
1785 }
1786
1787 /* change status of isakmp status entry */
1788 iph2->status = PHASE2ST_MSG1SENT;
1789
1790 error = 0;
1791
1792 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1793 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
1794 CONSTSTR("Responder, Quick-Mode message 2"),
1795 CONSTSTR(NULL));
1796
1797 end:
1798 if (error) {
1799 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1800 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
1801 CONSTSTR("Responder, Quick-Mode Message 2"),
1802 CONSTSTR("Failed to transmit Quick-Mode Message 2"));
1803 }
1804 if (body != NULL)
1805 vfree(body);
1806 if (hash != NULL)
1807 vfree(hash);
1808 if (natoa_i)
1809 vfree(natoa_i);
1810 if (natoa_r)
1811 vfree(natoa_r);
1812
1813 return error;
1814 }
1815
1816 /*
1817 * receive from initiator
1818 * HDR*, HASH(3)
1819 */
1820 int
1821 quick_r3recv(iph2, msg0)
1822 struct ph2handle *iph2;
1823 vchar_t *msg0;
1824 {
1825 vchar_t *msg = NULL;
1826 vchar_t *pbuf = NULL; /* for payload parsing */
1827 struct isakmp_parse_t *pa;
1828 struct isakmp_pl_hash *hash = NULL;
1829 int error = ISAKMP_INTERNAL_ERROR;
1830
1831 /* validity check */
1832 if (iph2->status != PHASE2ST_MSG1SENT) {
1833 plog(LLV_ERROR, LOCATION, NULL,
1834 "status mismatched %d.\n", iph2->status);
1835 goto end;
1836 }
1837
1838 /* decrypt packet */
1839 if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
1840 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1841 "Packet wasn't encrypted.\n");
1842 goto end;
1843 }
1844 msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
1845 if (msg == NULL) {
1846 plog(LLV_ERROR, LOCATION, NULL,
1847 "failed to decrypt packet\n");
1848 goto end;
1849 }
1850
1851 /* validate the type of next payload */
1852 pbuf = isakmp_parse(msg);
1853 if (pbuf == NULL) {
1854 plog(LLV_ERROR, LOCATION, NULL,
1855 "failed to parse msg\n");
1856 goto end;
1857 }
1858
1859 for (pa = (struct isakmp_parse_t *)pbuf->v;
1860 pa->type != ISAKMP_NPTYPE_NONE;
1861 pa++) {
1862
1863 switch (pa->type) {
1864 case ISAKMP_NPTYPE_HASH:
1865 hash = (struct isakmp_pl_hash *)pa->ptr;
1866 break;
1867 case ISAKMP_NPTYPE_N:
1868 isakmp_check_ph2_notify(pa->ptr, iph2);
1869 break;
1870 default:
1871 /* don't send information, see ident_r1recv() */
1872 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1873 "ignore the packet, "
1874 "received unexpecting payload type %d.\n",
1875 pa->type);
1876 goto end;
1877 }
1878 }
1879
1880 /* payload existency check */
1881 if (hash == NULL) {
1882 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1883 "few isakmp message received.\n");
1884 goto end;
1885 }
1886
1887 /* validate HASH(3) */
1888 /* HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */
1889 {
1890 char *r_hash;
1891 vchar_t *my_hash = NULL;
1892 vchar_t *tmp = NULL;
1893 int result;
1894
1895 r_hash = (char *)hash + sizeof(*hash);
1896
1897 plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) validate:");
1898 plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
1899
1900 tmp = vmalloc(iph2->nonce_p->l + iph2->nonce->l);
1901 if (tmp == NULL) {
1902 plog(LLV_ERROR, LOCATION, NULL,
1903 "failed to get hash buffer.\n");
1904 goto end;
1905 }
1906 memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
1907 memcpy(tmp->v + iph2->nonce_p->l, iph2->nonce->v, iph2->nonce->l);
1908
1909 my_hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
1910 vfree(tmp);
1911 if (my_hash == NULL) {
1912 plog(LLV_ERROR, LOCATION, NULL,
1913 "failed to compute HASH\n");
1914 goto end;
1915 }
1916
1917 result = memcmp(my_hash->v, r_hash, my_hash->l);
1918 vfree(my_hash);
1919
1920 if (result) {
1921 plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
1922 "HASH(3) mismatch.\n");
1923 error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
1924 goto end;
1925 }
1926 }
1927
1928 /* if there is commit bit, don't set up SA now. */
1929 if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
1930 iph2->status = PHASE2ST_COMMIT;
1931 } else
1932 iph2->status = PHASE2ST_STATUS6;
1933
1934 error = 0;
1935
1936 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1937 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
1938 CONSTSTR("Responder, Quick-Mode message 3"),
1939 CONSTSTR(NULL));
1940
1941 end:
1942 if (error) {
1943 IPSECSESSIONTRACEREVENT(iph2->parent_session,
1944 IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
1945 CONSTSTR("Responder, Quick-Mode Message 3"),
1946 CONSTSTR("Failed to process Quick-Mode Message 3"));
1947 }
1948 if (pbuf != NULL)
1949 vfree(pbuf);
1950 if (msg != NULL)
1951 vfree(msg);
1952
1953 return error;
1954 }
1955
1956 /*
1957 * send to initiator
1958 * HDR#*, HASH(4), notify
1959 */
1960 int
1961 quick_r3send(iph2, msg0)
1962 struct ph2handle *iph2;
1963 vchar_t *msg0;
1964 {
1965 vchar_t *buf = NULL;
1966 vchar_t *myhash = NULL;
1967 struct isakmp_pl_n *n;
1968 vchar_t *notify = NULL;
1969 char *p;
1970 int tlen;
1971 int error = ISAKMP_INTERNAL_ERROR;
1972
1973 /* validity check */
1974 if (iph2->status != PHASE2ST_COMMIT) {
1975 plog(LLV_ERROR, LOCATION, NULL,
1976 "status mismatched %d.\n", iph2->status);
1977 goto end;
1978 }
1979
1980 /* generate HASH(4) */
1981 /* XXX What can I do in the case of multiple different SA */
1982 plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) generate\n");
1983
1984 /* XXX What should I do if there are multiple SAs ? */
1985 tlen = sizeof(struct isakmp_pl_n) + iph2->approval->head->spisize;
1986 notify = vmalloc(tlen);
1987 if (notify == NULL) {
1988 plog(LLV_ERROR, LOCATION, NULL,
1989 "failed to get notify buffer.\n");
1990 goto end;
1991 }
1992 n = (struct isakmp_pl_n *)notify->v;
1993 n->h.np = ISAKMP_NPTYPE_NONE;
1994 n->h.len = htons(tlen);
1995 n->doi = htonl(IPSEC_DOI);
1996 n->proto_id = iph2->approval->head->proto_id;
1997 n->spi_size = sizeof(iph2->approval->head->spisize);
1998 n->type = htons(ISAKMP_NTYPE_CONNECTED);
1999 memcpy(n + 1, &iph2->approval->head->spi, iph2->approval->head->spisize);
2000
2001 myhash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
2002 if (myhash == NULL) {
2003 plog(LLV_ERROR, LOCATION, NULL,
2004 "failed to compute HASH");
2005 goto end;
2006 }
2007
2008 /* create buffer for isakmp payload */
2009 tlen = sizeof(struct isakmp)
2010 + sizeof(struct isakmp_gen) + myhash->l
2011 + notify->l;
2012 buf = vmalloc(tlen);
2013 if (buf == NULL) {
2014 plog(LLV_ERROR, LOCATION, NULL,
2015 "failed to get buffer to send.\n");
2016 goto end;
2017 }
2018
2019 /* create isakmp header */
2020 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
2021 if (p == NULL) {
2022 plog(LLV_ERROR, LOCATION, NULL,
2023 "failed to set ISAKMP header");
2024 goto end;
2025 }
2026
2027 /* add HASH(4) payload */
2028 p = set_isakmp_payload(p, myhash, ISAKMP_NPTYPE_N);
2029
2030 /* add notify payload */
2031 memcpy(p, notify->v, notify->l);
2032
2033 #ifdef HAVE_PRINT_ISAKMP_C
2034 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
2035 #endif
2036
2037 /* encoding */
2038 iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
2039 if (iph2->sendbuf == NULL) {
2040 plog(LLV_ERROR, LOCATION, NULL,
2041 "failed to encrypt packet");
2042 goto end;
2043 }
2044
2045 /* send the packet */
2046 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
2047 plog(LLV_ERROR, LOCATION, NULL,
2048 "failed to send packet");
2049 goto end;
2050 }
2051
2052 /* the sending message is added to the received-list. */
2053 if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0,
2054 PH2_NON_ESP_EXTRA_LEN(iph2), PH2_FRAG_FLAGS(iph2)) == -1) {
2055 plog(LLV_ERROR , LOCATION, NULL,
2056 "failed to add a response packet to the tree.\n");
2057 goto end;
2058 }
2059
2060 iph2->status = PHASE2ST_COMMIT;
2061
2062 error = 0;
2063
2064 IPSECSESSIONTRACEREVENT(iph2->parent_session,
2065 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
2066 CONSTSTR("Responder, Quick-Mode message 4"),
2067 CONSTSTR(NULL));
2068
2069 end:
2070 if (error) {
2071 IPSECSESSIONTRACEREVENT(iph2->parent_session,
2072 IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
2073 CONSTSTR("Responder, Quick-Mode Message 4"),
2074 CONSTSTR("Failed to transmit Quick-Mode Message 4"));
2075 }
2076 if (buf != NULL)
2077 vfree(buf);
2078 if (myhash != NULL)
2079 vfree(myhash);
2080 if (notify != NULL)
2081 vfree(notify);
2082
2083 return error;
2084 }
2085
2086
2087 /*
2088 * set SA to kernel.
2089 */
2090 int
2091 quick_r3prep(iph2, msg0)
2092 struct ph2handle *iph2;
2093 vchar_t *msg0;
2094 {
2095 vchar_t *msg = NULL;
2096 int error = ISAKMP_INTERNAL_ERROR;
2097
2098 /* validity check */
2099 if (iph2->status != PHASE2ST_STATUS6) {
2100 plog(LLV_ERROR, LOCATION, NULL,
2101 "status mismatched %d.\n", iph2->status);
2102 goto end;
2103 }
2104
2105 /* compute both of KEYMATs */
2106 if (oakley_compute_keymat(iph2, RESPONDER) < 0) {
2107 plog(LLV_ERROR, LOCATION, NULL,
2108 "failed to compute KEYMAT");
2109 goto end;
2110 }
2111
2112 iph2->status = PHASE2ST_ADDSA;
2113 iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
2114
2115 /* don't anything if local test mode. */
2116 if (f_local) {
2117 error = 0;
2118 goto end;
2119 }
2120
2121 /* Do UPDATE as responder */
2122 plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
2123 if (pk_sendupdate(iph2) < 0) {
2124 plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
2125 goto end;
2126 }
2127 plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
2128
2129 /* Do ADD for responder */
2130 if (pk_sendadd(iph2) < 0) {
2131 plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
2132 goto end;
2133 }
2134 plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
2135
2136 /*
2137 * set policies into SPD if the policy is generated
2138 * from peer's policy.
2139 */
2140 if (iph2->spidx_gen) {
2141
2142 struct policyindex *spidx;
2143 struct sockaddr_storage addr;
2144 u_int8_t pref;
2145 struct sockaddr *src = iph2->src;
2146 struct sockaddr *dst = iph2->dst;
2147
2148 /* make inbound policy */
2149 iph2->src = dst;
2150 iph2->dst = src;
2151 if (pk_sendspdupdate2(iph2) < 0) {
2152 plog(LLV_ERROR, LOCATION, NULL,
2153 "pfkey spdupdate2(inbound) failed.\n");
2154 goto end;
2155 }
2156 plog(LLV_DEBUG, LOCATION, NULL,
2157 "pfkey spdupdate2(inbound) sent.\n");
2158
2159 spidx = (struct policyindex *)iph2->spidx_gen;
2160 #ifdef HAVE_POLICY_FWD
2161 /* make forward policy if required */
2162 if (tunnel_mode_prop(iph2->approval)) {
2163 spidx->dir = IPSEC_DIR_FWD;
2164 if (pk_sendspdupdate2(iph2) < 0) {
2165 plog(LLV_ERROR, LOCATION, NULL,
2166 "pfkey spdupdate2(forward) failed.\n");
2167 goto end;
2168 }
2169 plog(LLV_DEBUG, LOCATION, NULL,
2170 "pfkey spdupdate2(forward) sent.\n");
2171 }
2172 #endif
2173
2174 /* make outbound policy */
2175 iph2->src = src;
2176 iph2->dst = dst;
2177 spidx->dir = IPSEC_DIR_OUTBOUND;
2178 addr = spidx->src;
2179 spidx->src = spidx->dst;
2180 spidx->dst = addr;
2181 pref = spidx->prefs;
2182 spidx->prefs = spidx->prefd;
2183 spidx->prefd = pref;
2184
2185 if (pk_sendspdupdate2(iph2) < 0) {
2186 plog(LLV_ERROR, LOCATION, NULL,
2187 "pfkey spdupdate2(outbound) failed.\n");
2188 goto end;
2189 }
2190 plog(LLV_DEBUG, LOCATION, NULL,
2191 "pfkey spdupdate2(outbound) sent.\n");
2192
2193 /* spidx_gen is unnecessary any more */
2194 delsp_bothdir((struct policyindex *)iph2->spidx_gen);
2195 racoon_free(iph2->spidx_gen);
2196 iph2->spidx_gen = NULL;
2197 iph2->generated_spidx=1;
2198 }
2199
2200 error = 0;
2201
2202 end:
2203 if (msg != NULL)
2204 vfree(msg);
2205
2206 return error;
2207 }
2208
2209 /*
2210 * create HASH, body (SA, NONCE) payload with isakmp header.
2211 */
2212 static vchar_t *
2213 quick_ir1mx(iph2, body, hash)
2214 struct ph2handle *iph2;
2215 vchar_t *body, *hash;
2216 {
2217 struct isakmp *isakmp;
2218 vchar_t *buf = NULL, *new = NULL;
2219 char *p;
2220 int tlen;
2221 struct isakmp_gen *gen;
2222 int error = ISAKMP_INTERNAL_ERROR;
2223
2224 /* create buffer for isakmp payload */
2225 tlen = sizeof(*isakmp)
2226 + sizeof(*gen) + hash->l
2227 + body->l;
2228 buf = vmalloc(tlen);
2229 if (buf == NULL) {
2230 plog(LLV_ERROR, LOCATION, NULL,
2231 "failed to get buffer to send.\n");
2232 goto end;
2233 }
2234
2235 /* re-set encryption flag, for serurity. */
2236 iph2->flags |= ISAKMP_FLAG_E;
2237
2238 /* set isakmp header */
2239 p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
2240 if (p == NULL) {
2241 plog(LLV_ERROR, LOCATION, NULL,
2242 "failed to set ISAKMP header");
2243 goto end;
2244 }
2245
2246 /* add HASH payload */
2247 /* XXX is next type always SA ? */
2248 p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_SA);
2249
2250 /* add body payload */
2251 memcpy(p, body->v, body->l);
2252
2253 #ifdef HAVE_PRINT_ISAKMP_C
2254 isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
2255 #endif
2256
2257 /* encoding */
2258 new = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
2259 if (new == NULL) {
2260 plog(LLV_ERROR, LOCATION, NULL,
2261 "failed to encrypt packet");
2262 goto end;
2263 }
2264
2265 vfree(buf);
2266
2267 buf = new;
2268
2269 error = 0;
2270
2271 end:
2272 if (error && buf != NULL) {
2273 vfree(buf);
2274 buf = NULL;
2275 }
2276
2277 return buf;
2278 }
2279
2280 /*
2281 * get remote's sainfo.
2282 * NOTE: this function is for responder.
2283 */
2284 static int
2285 get_sainfo_r(iph2)
2286 struct ph2handle *iph2;
2287 {
2288 vchar_t *idsrc = NULL, *iddst = NULL;
2289 int prefixlen;
2290 int error = ISAKMP_INTERNAL_ERROR;
2291 struct sainfo *anonymous = NULL;
2292
2293 if (iph2->id == NULL) {
2294 switch (iph2->src->sa_family) {
2295 case AF_INET:
2296 prefixlen = sizeof(struct in_addr) << 3;
2297 break;
2298 case AF_INET6:
2299 prefixlen = sizeof(struct in6_addr) << 3;
2300 break;
2301 default:
2302 plog(LLV_ERROR, LOCATION, NULL,
2303 "invalid family: %d\n", iph2->src->sa_family);
2304 goto end;
2305 }
2306 idsrc = ipsecdoi_sockaddr2id(iph2->src, prefixlen,
2307 IPSEC_ULPROTO_ANY);
2308 } else {
2309 idsrc = vdup(iph2->id);
2310 }
2311 if (idsrc == NULL) {
2312 plog(LLV_ERROR, LOCATION, NULL,
2313 "failed to set ID for source.\n");
2314 goto end;
2315 }
2316
2317 if (iph2->id_p == NULL) {
2318 switch (iph2->dst->sa_family) {
2319 case AF_INET:
2320 prefixlen = sizeof(struct in_addr) << 3;
2321 break;
2322 case AF_INET6:
2323 prefixlen = sizeof(struct in6_addr) << 3;
2324 break;
2325 default:
2326 plog(LLV_ERROR, LOCATION, NULL,
2327 "invalid family: %d\n", iph2->dst->sa_family);
2328 goto end;
2329 }
2330 iddst = ipsecdoi_sockaddr2id(iph2->dst, prefixlen,
2331 IPSEC_ULPROTO_ANY);
2332 } else {
2333 iddst = vdup(iph2->id_p);
2334 }
2335 if (iddst == NULL) {
2336 plog(LLV_ERROR, LOCATION, NULL,
2337 "failed to set ID for destination.\n");
2338 goto end;
2339 }
2340
2341 iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, 0);
2342 // track anonymous sainfo, because we'll try to find a better sainfo if this is a client
2343 if (iph2->sainfo && iph2->sainfo->idsrc == NULL)
2344 anonymous = iph2->sainfo;
2345
2346 if (iph2->sainfo == NULL ||
2347 (anonymous && iph2->parent_session && iph2->parent_session->is_client)) {
2348 if ((iph2->ph1->natt_flags & NAT_DETECTED_ME) && lcconf->ext_nat_id != NULL)
2349 iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, 1);
2350 if (iph2->sainfo) {
2351 plog(LLV_DEBUG2, LOCATION, NULL,
2352 "get_sainfo_r case 1.\n");
2353 }
2354 // still no sainfo (or anonymous): for client, fallback to sainfo used by a previous established phase2
2355 if (iph2->sainfo == NULL ||
2356 (iph2->sainfo->idsrc == NULL && iph2->parent_session && iph2->parent_session->is_client)) {
2357 ike_session_get_sainfo_r(iph2);
2358 if (iph2->sainfo) {
2359 plog(LLV_DEBUG2, LOCATION, NULL,
2360 "get_sainfo_r case 2.\n");
2361 }
2362 // still no sainfo (or anonymous): fallback to sainfo picked by dst id
2363 if ((iph2->sainfo == NULL || iph2->sainfo->idsrc == NULL) && iph2->id_p) {
2364 plog(LLV_DEBUG2, LOCATION, NULL,
2365 "get_sainfo_r about to try dst id only.\n");
2366 iph2->sainfo = getsainfo_by_dst_id(iph2->id_p, iph2->ph1->id_p);
2367 if (iph2->sainfo) {
2368 plog(LLV_DEBUG2, LOCATION, NULL,
2369 "get_sainfo_r case 3.\n");
2370 if (iph2->sainfo->idsrc == NULL)
2371 anonymous = iph2->sainfo;
2372 }
2373 }
2374 }
2375 }
2376 if (iph2->sainfo == NULL) {
2377 if (anonymous == NULL) {
2378 plog(LLV_ERROR, LOCATION, NULL,
2379 "failed to get sainfo.\n");
2380 goto end;
2381 }
2382 iph2->sainfo = anonymous;
2383 }
2384 if (link_sainfo_to_ph2(iph2->sainfo) != 0) {
2385 plog(LLV_ERROR, LOCATION, NULL,
2386 "failed to link sainfo\n");
2387 iph2->sainfo = NULL;
2388 goto end;
2389 }
2390
2391 #ifdef ENABLE_HYBRID
2392 /* xauth group inclusion check */
2393 if (iph2->sainfo->group != NULL)
2394 if(group_check(iph2->ph1,&iph2->sainfo->group->v,1)) {
2395 plog(LLV_ERROR, LOCATION, NULL,
2396 "failed to group check");
2397 goto end;
2398 }
2399 #endif
2400
2401 plog(LLV_DEBUG, LOCATION, NULL,
2402 "selected sainfo: %s\n", sainfo2str(iph2->sainfo));
2403
2404 error = 0;
2405 end:
2406 if (idsrc)
2407 vfree(idsrc);
2408 if (iddst)
2409 vfree(iddst);
2410
2411 return error;
2412 }
2413
2414 static int
2415 get_proposal_r(iph2)
2416 struct ph2handle *iph2;
2417 {
2418 int error = get_proposal_r_remote(iph2, 0);
2419 if (error != -2 && error != 0 &&
2420 (((iph2->ph1->natt_flags & NAT_DETECTED_ME) && lcconf->ext_nat_id != NULL) ||
2421 (iph2->parent_session && iph2->parent_session->is_client))) {
2422 if (iph2->parent_session && iph2->parent_session->is_client)
2423 error = ike_session_get_proposal_r(iph2);
2424 if (error != -2 && error != 0)
2425 error = get_proposal_r_remote(iph2, 1);
2426 }
2427 return error;
2428 }
2429
2430 /*
2431 * Copy both IP addresses in ID payloads into [src,dst]_id if both ID types
2432 * are IP address and same address family.
2433 * Then get remote's policy from SPD copied from kernel.
2434 * If the type of ID payload is address or subnet type, then the index is
2435 * made from the payload. If there is no ID payload, or the type of ID
2436 * payload is NOT address type, then the index is made from the address
2437 * pair of phase 1.
2438 * NOTE: This function is only for responder.
2439 */
2440 static int
2441 get_proposal_r_remote(iph2, ignore_id)
2442 struct ph2handle *iph2;
2443 int ignore_id;
2444 {
2445 struct policyindex spidx;
2446 struct secpolicy *sp_in, *sp_out;
2447 int idi2type = 0; /* switch whether copy IDs into id[src,dst]. */
2448 int error = ISAKMP_INTERNAL_ERROR;
2449 int generated_policy_exit_early = 1;
2450
2451 /* check the existence of ID payload */
2452 if ((iph2->id_p != NULL && iph2->id == NULL)
2453 || (iph2->id_p == NULL && iph2->id != NULL)) {
2454 plog(LLV_ERROR, LOCATION, NULL,
2455 "Both IDs wasn't found in payload.\n");
2456 return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
2457 }
2458
2459 /* make sure if id[src,dst] is null (if use_remote_addr == 0). */
2460 if (!ignore_id && (iph2->src_id || iph2->dst_id)) {
2461 plog(LLV_ERROR, LOCATION, NULL,
2462 "Why do ID[src,dst] exist already.\n");
2463 return ISAKMP_INTERNAL_ERROR;
2464 }
2465
2466 plog(LLV_DEBUG, LOCATION, NULL,
2467 "%s: ignore_id %x.\n", __FUNCTION__, ignore_id);
2468
2469 memset(&spidx, 0, sizeof(spidx));
2470
2471 #define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
2472
2473 /* make a spidx; a key to search SPD */
2474 spidx.dir = IPSEC_DIR_INBOUND;
2475 spidx.ul_proto = 0;
2476
2477 /*
2478 * make destination address in spidx from either ID payload
2479 * or phase 1 address into a address in spidx.
2480 * If behind a nat - use phase1 address because server's
2481 * use the nat's address in the ID payload.
2482 */
2483 if (iph2->id != NULL
2484 && ignore_id == 0
2485 && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
2486 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
2487 || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
2488 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
2489 /* get a destination address of a policy */
2490 error = ipsecdoi_id2sockaddr(iph2->id,
2491 (struct sockaddr *)&spidx.dst,
2492 &spidx.prefd, &spidx.ul_proto);
2493 if (error)
2494 return error;
2495
2496 #ifdef INET6
2497 /*
2498 * get scopeid from the SA address.
2499 * note that the phase 1 source address is used as
2500 * a destination address to search for a inbound policy entry
2501 * because rcoon is responder.
2502 */
2503 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
2504 error = setscopeid((struct sockaddr *)&spidx.dst,
2505 iph2->src);
2506 if (error)
2507 return error;
2508 }
2509 #endif
2510
2511 if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
2512 || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
2513 idi2type = _XIDT(iph2->id);
2514
2515 } else {
2516
2517 plog(LLV_DEBUG, LOCATION, NULL,
2518 "get a destination address of SP index "
2519 "from phase1 address "
2520 "due to no ID payloads found "
2521 "OR because ID type is not address.\n");
2522
2523 /*
2524 * copy the SOURCE address of IKE into the DESTINATION address
2525 * of the key to search the SPD because the direction of policy
2526 * is inbound.
2527 */
2528 memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
2529 switch (spidx.dst.ss_family) {
2530 case AF_INET:
2531 {
2532 struct sockaddr_in *s = (struct sockaddr_in *)&spidx.dst;
2533 spidx.prefd = sizeof(struct in_addr) << 3;
2534 s->sin_port = htons(0);
2535 }
2536 break;
2537 #ifdef INET6
2538 case AF_INET6:
2539 spidx.prefd = sizeof(struct in6_addr) << 3;
2540 break;
2541 #endif
2542 default:
2543 spidx.prefd = 0;
2544 break;
2545 }
2546 }
2547
2548 /* make source address in spidx */
2549 if (iph2->id_p != NULL
2550 && ignore_id == 0
2551 && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
2552 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
2553 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
2554 || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
2555 /* get a source address of inbound SA */
2556 error = ipsecdoi_id2sockaddr(iph2->id_p,
2557 (struct sockaddr *)&spidx.src,
2558 &spidx.prefs, &spidx.ul_proto);
2559 if (error)
2560 return error;
2561
2562 #ifdef INET6
2563 /*
2564 * get scopeid from the SA address.
2565 * for more detail, see above of this function.
2566 */
2567 if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
2568 error = setscopeid((struct sockaddr *)&spidx.src,
2569 iph2->dst);
2570 if (error)
2571 return error;
2572 }
2573 #endif
2574
2575 /* make id[src,dst] if both ID types are IP address and same */
2576 if (_XIDT(iph2->id_p) == idi2type
2577 && spidx.dst.ss_family == spidx.src.ss_family) {
2578 iph2->src_id = dupsaddr((struct sockaddr *)&spidx.dst);
2579 if (iph2->src_id == NULL) {
2580 plog(LLV_ERROR, LOCATION, NULL,
2581 "buffer allocation failed.\n");
2582 return ISAKMP_INTERNAL_ERROR;
2583 }
2584 iph2->dst_id = dupsaddr((struct sockaddr *)&spidx.src);
2585 if (iph2->dst_id == NULL) {
2586 plog(LLV_ERROR, LOCATION, NULL,
2587 "buffer allocation failed.\n");
2588 return ISAKMP_INTERNAL_ERROR;
2589 }
2590 }
2591
2592 } else {
2593 plog(LLV_DEBUG, LOCATION, NULL,
2594 "get a source address of SP index "
2595 "from phase1 address "
2596 "due to no ID payloads found "
2597 "OR because ID type is not address.\n");
2598
2599 /* see above comment. */
2600 memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
2601 switch (spidx.src.ss_family) {
2602 case AF_INET:
2603 {
2604 struct sockaddr_in *s = (struct sockaddr_in *)&spidx.src;
2605 spidx.prefs = sizeof(struct in_addr) << 3;
2606 s->sin_port = htons(0);
2607 }
2608 break;
2609 #ifdef INET6
2610 case AF_INET6:
2611 spidx.prefs = sizeof(struct in6_addr) << 3;
2612 break;
2613 #endif
2614 default:
2615 spidx.prefs = 0;
2616 break;
2617 }
2618 }
2619
2620 #undef _XIDT
2621
2622 plog(LLV_DEBUG, LOCATION, NULL,
2623 "get a src address from ID payload "
2624 "%s prefixlen=%u ul_proto=%u\n",
2625 saddr2str((struct sockaddr *)&spidx.src),
2626 spidx.prefs, spidx.ul_proto);
2627 plog(LLV_DEBUG, LOCATION, NULL,
2628 "get dst address from ID payload "
2629 "%s prefixlen=%u ul_proto=%u\n",
2630 saddr2str((struct sockaddr *)&spidx.dst),
2631 spidx.prefd, spidx.ul_proto);
2632
2633 /*
2634 * convert the ul_proto if it is 0
2635 * because 0 in ID payload means a wild card.
2636 */
2637 if (spidx.ul_proto == 0)
2638 spidx.ul_proto = IPSEC_ULPROTO_ANY;
2639
2640 /* get inbound policy */
2641 sp_in = getsp_r(&spidx, iph2);
2642 if (sp_in == NULL || sp_in->policy == IPSEC_POLICY_GENERATE) {
2643 if (iph2->ph1->rmconf->gen_policy) {
2644 if (sp_in)
2645 plog(LLV_INFO, LOCATION, NULL,
2646 "Update the generated policy : %s\n",
2647 spidx2str(&spidx));
2648 else
2649 plog(LLV_INFO, LOCATION, NULL,
2650 "no policy found, "
2651 "try to generate the policy : %s\n",
2652 spidx2str(&spidx));
2653 iph2->spidx_gen = racoon_malloc(sizeof(spidx));
2654 if (!iph2->spidx_gen) {
2655 plog(LLV_ERROR, LOCATION, NULL,
2656 "buffer allocation failed.\n");
2657 return ISAKMP_INTERNAL_ERROR;
2658 }
2659 memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
2660 generated_policy_exit_early = 1; /* special value */
2661 } else {
2662 plog(LLV_ERROR, LOCATION, NULL,
2663 "no policy found: %s\n", spidx2str(&spidx));
2664 return ISAKMP_INTERNAL_ERROR;
2665 }
2666 }
2667
2668 /* get outbound policy */
2669 {
2670 struct sockaddr_storage addr;
2671 u_int8_t pref;
2672
2673 spidx.dir = IPSEC_DIR_OUTBOUND;
2674 addr = spidx.src;
2675 spidx.src = spidx.dst;
2676 spidx.dst = addr;
2677 pref = spidx.prefs;
2678 spidx.prefs = spidx.prefd;
2679 spidx.prefd = pref;
2680
2681 sp_out = getsp_r(&spidx, iph2);
2682 if (!sp_out) {
2683 plog(LLV_WARNING, LOCATION, NULL,
2684 "no outbound policy found: %s\n",
2685 spidx2str(&spidx));
2686 } else {
2687
2688 if (!iph2->spid) {
2689 iph2->spid = sp_out->id;
2690 }
2691 }
2692 }
2693
2694 plog(LLV_DEBUG, LOCATION, NULL,
2695 "suitable SP found:%s\n", spidx2str(&spidx));
2696
2697 if (generated_policy_exit_early) {
2698 return -2;
2699 }
2700
2701 /*
2702 * In the responder side, the inbound policy should be using IPsec.
2703 * outbound policy is not checked currently.
2704 */
2705 if (sp_in->policy != IPSEC_POLICY_IPSEC) {
2706 plog(LLV_ERROR, LOCATION, NULL,
2707 "policy found, but no IPsec required: %s\n",
2708 spidx2str(&spidx));
2709 return ISAKMP_INTERNAL_ERROR;
2710 }
2711
2712 /* set new proposal derived from a policy into the iph2->proposal. */
2713 if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) {
2714 plog(LLV_ERROR, LOCATION, NULL,
2715 "failed to create saprop.\n");
2716 return ISAKMP_INTERNAL_ERROR;
2717 }
2718
2719 return 0;
2720 }
mirror of ipsec